New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 810630 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 810561
Owner: ----
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::CachedMatchedProperties::Clear

Project Member Reported by ClusterFuzz, Feb 9 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5035030192324608

Fuzzer: attekett_dom_fuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  blink::CachedMatchedProperties::Clear
  blink::MatchedPropertiesCache::Clear
  blink::StyleResolver::InvalidateMatchedPropertiesCache
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=535301:535306

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5035030192324608

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Feb 9 2018

Components: Blink>CSS Blink>Internals>WTF
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by yutak@chromium.org, Feb 9 2018

Components: -Blink>Internals>WTF
Cc: brajkumar@chromium.org
Labels: M-66 Test-Predator-Wrong CF-NeedsTriage
Unable to find actual suspect through code search and also from the provided CL under regression range, hence adding appropriate label and leaving it as untriaged for further updates.

Thanks!
Mergedinto: 810561
Status: Duplicate (was: Untriaged)
Project Member

Comment 5 by ClusterFuzz, Feb 10 2018

ClusterFuzz has detected this issue as fixed in range 535924:535929.

Detailed report: https://clusterfuzz.com/testcase?key=5035030192324608

Fuzzer: attekett_dom_fuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  blink::CachedMatchedProperties::Clear
  blink::MatchedPropertiesCache::Clear
  blink::StyleResolver::InvalidateMatchedPropertiesCache
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=535301:535306
Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=535924:535929

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5035030192324608

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment